Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

connect() tries to use IPv6 address on IPv4 connections (sometimes), when it doesn’t it gives a ssl error #105

Closed
yangm97 opened this issue Apr 30, 2017 · 7 comments
Closed

connect() tries to use IPv6 address on IPv4 connections (sometimes), when it doesn’t it gives a ssl error #105

yangm97 opened this issue Apr 30, 2017 · 7 comments

Comments

@yangm97
Copy link

yangm97 commented Apr 30, 2017

I simply copied the sample code, replaced with a dual stack domain (in this case, the telegram bot api) and I have noticed it sometimes throws this error:

connect() to [2600:1f16:59e:b200:dd1c:548d:63ef:7119]:443 failed (101: Network unreachable)

When it does use the correct IP address, I get a ssl error:

lua ssl certificate verify error: (20: unable to get local issuer certificate)

I’m using openresty/openresty:alpine-fat docker image, if it matters.
@yangm97
Copy link
Author

yangm97 commented Apr 30, 2017
edited
Loading

Additional info: I’m running docker for mac and my nginx.conf is as follows:

worker_processes  1;
error_log /dev/stderr notice;

env TG_TOKEN;
env SUPERADMINS;
env LOG;
env CHANNEL;
env SOURCE;
env GROUP;
env CORE_LANG;

events {
	worker_connections 32;
}

http {
	access_log /dev/stdout;
	lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
	lua_package_path ";;$prefix/lua/?.lua;";
	lua_code_cache off; #only during development
	init_by_lua_file lua/init.lua;
	server {
		listen 80;
		charset utf-8;
		charset_types application/json;
		default_type application/json;
		location /mybot {
			resolver 8.8.8.8;
			content_by_lua_file lua/handler.lua;
		}
	}
}

As you can see, the lua_ssl_trusted_certificate property is set.

@pintsized
Copy link
Member

We don't yet currently support ipv6 literals (but we should). This PR is under review: #104

I suspect the SSL issue is unrelated. Are you calling ssl_handshake?

@yangm97
Copy link
Author

yangm97 commented Jun 2, 2017
edited
Loading

I didn’t use a literal, the problem was probably due my connection being IPv4 only and resty sometimes getting an IPv6 from the DNS resolver.

@turbo
Copy link

turbo commented Nov 7, 2018

That's still very much an issue. The SSL error can be silenced using the ssl verify param, but if the resolver gives an IPv6 address, the request fails. In my example, I'm using Cloudflares 1.1.1.1 instead of Google's 8.8.8.8, but IPv6 should be supported regardless of the resolver.

@hrsantiago
Copy link

hrsantiago commented Sep 9, 2021
edited
Loading

I still get the same issue using version 0.16.1. Thought it was fixed on PR #104

connect() to [2001:67c:4e8:1033:5:100:0:a]:443 failed (101: Network is unreachable)

Also using docker.

@youanden
Copy link

I solved this problem by turning off ipv6 in the resolver:

 resolver 1.1.1.1 ipv6=off;

@xiangnanscu
Copy link

I solved this problem by turning off ipv6 in the resolver:

 resolver 1.1.1.1 ipv6=off;

thank dude. you save my day

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@pintsized @youanden @hrsantiago @hamishforbes @yangm97 @turbo @xiangnanscu